Security allows you to protect private or classified data from getting into the wrong hands. If you execute only components that live on the same machine, security might not be a big issue.^[70] However, in a distributed system where objects can be potentially accessed by anyone in cyberspace, security is a must. COM provides a powerful security infrastructure that leverages RPC security. This security infrastructure uses the standard Security Support Provider Interface (SSPI), which is a specification that allows vendors to write their own private authentication packages called Security Service Providers (SSP) to which you were introduced earlier. Windows NT provides the NT Lan Manager (NTLM) authentication package, which is the only authentication protocol that COM supports in NT 4.0. Recall from Chapter 2, that NTLM utilizes challenge/response authentication and thus does not support delegation. Windows 2000 will support a more flexible and widely accepted authentication protocol called Kerberos, which supports both cloaking and delegation.

Whatever authentication package is used, security is seamlessly supported even for components that do not provide a single line of code to manage security. If this happens to be the case, the application silently accepts COM’s default security, most of which is totally configurable by an administrator. For systems that must provide a high degree of protection from attackers, COM allows you to programmatically control security as needed ...